Richard Stallman in "power of the rulers"

This is a discussion on Richard Stallman in "power of the rulers" within the General Discussions forums, part of the Community Boards category; Take a look at this: The wheel Group « UNIX Administratosphere
Does Stallman not realize that users are given control ...

Richard Stallman in "power of the rulers"

Does Stallman not realize that users are given control over the computer - for a reason?! You don't fix malicious administrators by taking control of the system away from everybody - you do it by firing them! He's forced this insecure philosophy on us because he's bitter about someone taking advantage of him in the past?!

Absolutely ridiculous, of course. The way he puts it, makes it look like GNU/Linux should be vulnerable to social engineering attacks by design.

Instead, IMO the wheel group makes little sense in su, since its usage should be prevalent across all users of a system. Using wheel here would stop users not in that group from temporarily trading privileges, for instance. And putting everyone in the wheel group is... the same as not using the wheel group.

wheel is a lot more useful with sudo, which is clearly root oriented and allows system administrators to work as regular users and avoids certain pitfalls of the su command (like forgetting to exit the shell). It's also very common among single users running their own desktops.

The article is not clear on a few aspects. Starts by saying wheel is seldom used and keeps on admitting it is widely used. Not sure what the author wants to say. Maybe that indeed wheel has very little use in su, but a lot in sudo.

As for Stallman remark, it's absolutely ridiculous in the context of a technical reason for not supporting wheel in su (there's nothing technical in all that idiocy). But mostly because obviously nobody gives a rat's arse to Stallman opinion. If there was a real need to support wheel, it would be implemented. End of story. You just don't around distributing a server-capable industry-strength operating systems with a design based on quotes like that.

In other words, it's a lie. That's not the reason why it isn't supported out of the box. And this is made even more clear when the official documentation makes a point of distancing itself from that text by noting it's a one person statement (su invocation - GNU Coreutils)

Does Stallman not realize that users are given control over the computer - for a reason?!

Users should have absolutely no control over the computer.

Users should only have control over the resources they need.

You don't fix malicious administrators by taking control of the system away from everybody - you do it by firing them!

WHAT!? You've totally missed the point! He didn't take "control of the system away from everybody"; he gave control of the system to everybody who knew the root password!

Any user (on a GNU `su' system without the appropriate "PAM" modules active), "wheel" or not, could simply `su' and do whatever they wanted.

The "wheel" group acted as a barrier, albeit a small one, for a normal user to get root, but the `su' provided by GNU doesn't honor this classic contract.

He's forced this insecure philosophy on us because he's bitter about someone taking advantage of him in the past?!

No. He isn't. He can't.

I doubt anyone simply using a "*nix" box has ever noticed.

Anyone administering a "*nix" system should know about this (the issue is like twenty years old) and manage the situation appropriately. (Which could be anything from manually changing some permissions to get the same effect, replacing GNU `su' with "Shadow" `su', just using "PAM", or allowing everyone to run with root privileges with clever use of "SELinux".)

Instead, IMO the wheel group makes little sense in su, since its usage should be prevalent across all users of a system.

WHAT!?

The administrator in me just died a little!

The use of `su' (for root) should be restricted from just about everyone at all times.

Using wheel here would stop users not in that group from temporarily trading privileges, for instance.

And allowing users to control their own privileges sounds like a good idea to you?

It would be a lot faster to just give out the root password.

What are you trying to do? No. Seriously. What are you trying to do? I want to know. I can almost certainly help.

wheel is a lot more useful with sudo, which is clearly root oriented and allows system administrators to work as regular users and avoids certain pitfalls of the su command (like forgetting to exit the shell).

Unlike a lot of "old hat" guys, I really like `sudo', but I have to say, if you are forgetting to reduce your privileges, you are using `su' wrong and the common default configuration of `sudo' (staying "sudoed" for a specific time) will not help you.

That said, how is "wheel a lot more useful with sudo"? Or are you really just saying that `sudo' is more "user friendly" than `su'? I'd agree with that.

If there was a real need to support wheel, it would be implemented.

Correct. There is no need for `su' to support "wheel". There are better tools available to distribute and manage privileges and resources. These tools should be used instead. But, many people coming from other "*nix" systems (OpenBSD would be a favorite) are used to the mechanism and like having it around.

In other words, the "requirement" for "wheel" support is much like the "reason" GNU `su' doesn't have "wheel" support. They are purely personal and historic artifacts. I guess you could say "philosophical" if you wanted to be nice.

In other words, it's a lie.

If I remember my history (I'm sure I do, I'm just to lazy to confirm.), Richard Stallman wrote the first version of GNU `su' so it probably is true that the reason is a personal one.

But mostly because obviously nobody gives a rat's arse to Stallman opinion.

Did you hear me? I'll repeat: The use of `su' (for root) should be restricted from just about everyone at all times.

Well, that's because the administrator in you is just looking at su as a means to gain root privileges. Thing is, it's not.

You want to know a secret? THAT IS WHAT THE ARTICLE AND THE ISSUE IS ABOUT.

Yes, when that means users can su into other users. Something they definitely can't do with sudo.

o_O

You can't `su' into others users with a tool not designed to do that? Bummer!

Wait! Wow! You know what you can do? You can execute commands with `sudo' as another user without needing to `su' at all.

Oh, wait, that's what `sudo' was designed for... silly me.

Because sudo is a type of "su to root only", here a wheel group could make sense. sudoers can be defined on a user basis, or in more complex environments, as part of a group; wheel.

O_o

Do you ever actually read anything anyone posts?

Or do you just not understand anything?

Or is this stupidity somehow targeted only at me?

If your display of stupidity is somehow targeted only at me, please let me know. I'll stop wasting time trying to account for it.

*shrug*

I'll try once more, and once more only, to make this issue clear for you.

The "wheel" group traditionally only controlled who could `su' to root. IT DID NOT CONTROL WHO USED `SU' TO SUBSTITUTE ANOTHER USER ID! (For the record, most administrators did and do prevent any use of `su' by a user as a matter of practice, but that is not the default behavior, and it has nothing to do with the `su' and "wheel" relationship.)

In other words, any user, who knew the passwords, could use `su' to operate as another use regardless of group privileges. The "wheel" group association only controlled account privileges of `su' to root.

Phantomap. It's impossible to talk with you. You are constantly aggressive and offensive every time the debate doesn't go the way you intend it to. I'm tired of it. You are just going to my ignore list after this.

Who the heck said anything about passwords? In the entire thread I haven't used that word once, until now. What makes you think giving access to the su command will immediately give everyone access to the root account.

I humbly request that this thread be locked in honour of that last statement.

Done, but less because of said statement, and more because I do think there was more sarcastic aggression than is necessary or pleasant. If anyone wants to add something PM me or a moderator to reopen it.